WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

So you think SharePoint is secure?
Think again!

Jamie Bodley-Scott looks at the insecurities Sharepoint introduces and suggests a three dimensional model to stem the resultant flow of data.

Microsoft SharePoint was originally conceived to make it easier for people to collaborate. It enables the sharing of ideas, information and expertise; the ability to manage documents from start to finish; and publish reports that help everyone, ideally, to make better decisions. And, with resultant vast data stores, it provides a comprehensive search facility for users to quickly find appropriate content. The problem is that, all too easily, anyone can find things they shouldn’t. The result is inappropriate snooping; and that spells trouble for every organization using the tool.

Before we continue, it’s worth clarifying that SharePoint, itself, isn’t insecure: it’s the way it is used that causes the problem. The reason is the controls used by most organizations are inadequate. For example, access rights in SharePoint relate to users; but hidden behind location proxies.

For example - two colleagues sitting next to each other will have access to data. However, this doesn’t mean that they both need, or in fact should, be able to access the same information. If user one discovers he doesn’t have access to a particular file, and his colleague does, the reality is he’ll simply ask for him/her to ‘copy’ the file somewhere they can both access. After all, it’s just an IT ‘mistake’. The problem is it’s not just them that can now see and access the file - every one that has access to the shared directory can too. Add SharePoint to the mix and suddenly information that was previously hidden is not only available, but also appears in search results!

If you think this doesn’t happen I’m sorry to be the bearer of bad news: it not only does but most people don’t think it’s a problem. In a recent survey, conducted amongst 100 SharePoint users, 34 percent confessed they never really thought about the security implications of SharePoint. Perhaps more worryingly, 45 percent have copied confidential or sensitive information from SharePoint to a local PC, USB key or even emailed it to a third party, with 18 percent admitting to regularly doing this.

The main reasons for copying documents from SharePoint are either to work from home (43 percent) or share it with third parties who don't have access (over 55 percent). What this demonstrates is that SharePoint, while supposedly a business enabler, is actually seen by many employees as a barrier to productivity so doesn't live up to its full potential as an inclusive collaboration tool.

While it could be considered admirable that employees are so dedicated to getting the job done, the fact remains that they're flouting procedures and security put in place for good reason. Ignoring the consequences is a risky strategy.

Organizations recognise the workforce needs to be able to collaborate effectively, and it does, but they’re unwittingly encouraging lax security practices. If we’re not careful the danger will quickly outweigh the benefits. Under HIPAA, for example, organizations must now come clean if they suffer a breach of healthcare information affecting 500+ individuals – unsurprisingly the notification list is extensive! European legislation and other industries are all expected to introduce similar regulations.

Security is 3D
Rather than ignoring what's happening, organizations need to recognise the increasing porosity of the perimeter and that, for some, it may not even exist.

Today, security tends to be focused on users and their location. For example, what a user can access when in the relatively safe confines of the office will be different from what he/she can see when connecting remotely in the evening working from home, or the device being used. By the same token, where the information is stored can determine who has access – we return to our previous example of a file that one user could see but another couldn’t.

While historically that model worked, in today’s collaborative environment it is impractical. If a document is confidential then, no matter where it is located, the information it contains remains sensitive and should be secured. As our dutiful employees previously demonstrated, by moving the file to a shared directory the veil is lifted!

To prevent this a third dimension needs to be added:

User + Location + Context = The Full Picture

Organizations must add true user based rights AND supplement it with context based information to introduce a control model required for today’s collaborative environment.

However, here we encounter another issue. Going back to our survey, while a third of administrators feel that users are capable of controlling access rights all too often they’re not given the responsibility. Instead, it is IT administrators that remain overwhelmingly responsible for managing access rights within SharePoint (69 percent) – although the true figure is likely to be higher as 22 percent of users are blissfully unaware how access rights are managed and, therefore, it’s a pretty fair bet that it’s IT pulling the strings!

This is worrying. Not least because IT professionals aren’t best placed to determine why certain information is confidential and therefore introduce adequate control. But actually a third (35 percent) of SharePoint administrators are being nosy themselves, snooping around and peeking at documents they're not meant to read!

In case you’re interested, when digging deeper to see what was being viewed, 34 percent were looking at employee details, 23 percent salary details and eight percent merger and acquisition details and even redundancy notices!

I digress. Organizations serious about security need to embrace a three dimensional model and that means:

The User: should determine if something is sensitive or confidential, and therefore responsible for securing the sensitive content within the documents they author. Perhaps this will then encourage them to be more active in protecting the organization as a whole from data breaches.

The Location: when this sensitive information is then transferred to SharePoint it should be secured (and that means encrypted) and, more importantly, remain so even if moved to another location or device.

The Context : employing predefined security policies that secure information based on the context i.e. the type of document, where it’s going and where it’s from. Again, the specific rights of the document should remain in force even if the document is moved within, or from, SharePoint.

If you’re intending to harness the power of SharePoint then do it without compromising security. With this three dimensional approach, no one function needs to have access rights to sensitive information. Sorry IT administrators, no more sneaky peeks!

Author: Jamie Bodley-Scott, product specialist, Cryptzone UK

•Date: 27th March 2012 • Region: World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here